Mail Server setup

Introduction

This setup uses the Postfix 2.7 (SMTP Server/MTA) / Dovecot 1.2 (Pop3/IMAP Server) combination that is installed as the Ubuntu/Debian mail server. It was tested on a Lucid (10.04.2) 64-bit server with a Kubuntu (KDE) desktop.

To use it, MX records with a DNS registrar must be set up in advance.

Setting up MX records with a DNS registrar

In this example, I have a domain named mydomain.org which is registered at MasterBlaster DNS Registrar. I will accept mail at mydomain.org and mx.mydomain.org, so that mail addressed either as user1@mydomain.org or user1@mx.mydomain.org will be directed to my mail server to the mail account of user1.

If the LAN on which the mail server's host computer is located uses Dynamic IP addresses and you wish to use CNAME alias forwarding with your primary DNS Registrar then see this section. I have read elsewhere that only an A record is allowed as an MX DNS record type, but perhaps this is DNS Registrar-specific. My MasterBlaster DNS Registrar allows a CNAME alias as the MX record type, as well.

In this example, I have a dynamic IP address registered at DynDNS.com as mydddomain.dyndns.org. (The registered dynamic DNS URL name does not have to have any relation to the primary domain's registered URL.) The same Dynamic DNS URL that is used as the CNAME alias for the record of other services can also be used as the CNAME alias for the MX mail record. My server then updates the dynamic IP address for the Dynamic DNS URL mydddomain.dyndns.org at DynDNS.com using ddclient.

Whenever address records are changed at a DNS Registrar, it can take as short as half-an-hour (or at least as long as the TTL (in seconds), anyway) or sometimes as long as several hours for the changes to propagate. (Dynamic IP addressing, however, generally uses a very short TTL and the IP address update itself (by ddclient) is nearly instantaneous). If you wish to know to which IP address your email domain is currently being sent, try

telnet mx.mydomain.org 25

It should display a message with your current IP Address such as

"Trying 66.77.88.99..."

If it shows some other address, the changes have not yet propagated. Be patient.

Of course, until you have your Mail / SMTP server set up and all paths routed and firewalls opened (for port 25, at least), you will get the message

Install the Mail server

(Alternatively you can use sudo tasksel install mail-server or sudo tasksel with the Mail server task, but the configuration files with these methods use the mbox format by default instead.)

-> Postfix Configuration: General type of mail configuration: Internet site

-> Postfix Configuration: System mail name: mydomain.org

If there are problems with dependencies, they can often be fixed:

sudo apt-get install -f

I also was forced to remove exim4 using apt-get on the command line because exim4 was blocking the installation of postfix:

sudo apt-get remove --purge exim4
sudo apt-get install -f

I did not remove exim4 through a package manager because my package manager linked my drupal6 package to exim4; removing exim4 through a package manager removed my drupal6 package as well. This linked behavior didn't occur when removing exim4 through the command-line apt-get.

If the scripted Postfix installation fails, it can often be re-run:

sudo dpkg-reconfigure dovecot-postfix

or sometimes

sudo dpkg-reconfigure postfix

During installation, Postfix creates and uses a default (self-signed) security certificate, as specified in the /etc/postfix/main.cf file:

During installation, a (self-signed) SSL certificate is also created by Dovecot for this domain. By default the certificate is created to /etc/ssl/certs/dovecot.pem and the private key file is created to /etc/ssl/private/dovecot.pem (and the certificate set to expire in 365 days). If you wish to change this, see the Dovecot wiki.

It is easiest to stick with the snakeoil certificates when available, but to use the default certificate of Dovecot instead, edit the Dovecot configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

In versions of Dovecot installed with an integrated installer (such as dovecot-postfix), leave the lines (in /etc/dovecot/dovecot.conf) commented out and instead edit the appropriate configuration file in /etc/dovecot/conf.d. (Earlier versions used /etc/dovecot/dovecot-postfix.conf.) For example (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/dovecot/conf.d/10-dovecot-postfix.conf

using the same certificate files created by Postfix (that are referenced by the symbolic links):

or if the snakeoil certificates are referenced directly, make no changes.

Restart Dovecot:

sudo /etc/init.d/dovecot restart

Optionally, install Mutt for testing IMAP mail from the command-line (Mutt is usually installed with Postfix), and Roundcube as a Java/AJAX-powered (browser-based) webmail service. (An alternative to Roundcube is the PHP-based Squirrelmail).

Edit Postfix to reflect all variations of your domain name

Edit the /etc/postfix/main.cf file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/postfix/main.cf

to reflect all possible variations of the email domain that will be used to send mail. For example, I get mail at emailuser@mail.mydomain.org and at emailuser@mydomain.org. I therefore include mydomain.org and mail.mydomain.org in the line:

The dovecot-postfix installer edits the /etc/postfix/main.cf file so that it will be used with the Maildir (mail spool) folder system (and will use the Dovecot mail delivery system). You can verify that these lines are present:

Open and forward appropriate ports

Of course, in order for your router to forward ports to your mail server, your mail server must have a static IP address on your LAN. In versions prior to Precise Pangolin I was not able to get Network Manager to accept my static IP address settings. For those versions I removed it and created a static IP address. (Alternatively, you can remove network manager and install Wicd, which allows static IP addresses over wired or wireless connections.)

Your firewall also must not block the required incoming ports, and your router must forward them to your mail server.

IMAP/IMAPS: Ports 143 and 993

Pop/Pops: Ports 110 and 995

SMTP: Ports 25 and 587

LDAP: Port 389

While troubleshooting, allow all these ports to remain unblocked by a firewall (both for inbound and outbound traffic).

Set up Dovecot to listen to the ports by editing either /etc/dovecot/dovecot.conf and/or /etc/dovecot/conf.d/10-dovecot-postfix.conf and/or /etc/dovecot/dovecot-postfix.conf (depending on your setup, or both). (Use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu.)

Note: I happen to use Thunderbird with IMAP, so I also add a workaround line that enables usage of the Maildir (mail spooling) folder system with Thunderbird.

Set up Dovecot to be used with Thunderbird

To use with Thunderbird, edit the file /etc/dovecot/dovecot.conf and/or /etc/dovecot/conf.d/10-dovecot-postfix.conf and/or /etc/dovecot/dovecot-postfix.conf (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/dovecot/conf.d/10-dovecot-postfix.conf

and add the lines:

protocol imap {
...
imap_client_workarounds = tb-extra-mailbox-sep
}

In Thunderbird, under 'Server Settings' -> Advanced, uncheck "Show only subscribed folders". (This may be optional).

While searching for server settings, the email client computer should not have outgoing ports 25, 567, 143, 993, 110, 995, and/or 465 blocked, or Thunderbird will not be able to connect automatically.

Create a Dovecot-compatible Maildir directory skeleton

This is a set of default folders that can later be copied for each user. Include the folders you think your users will use. (For additional tips, see the community Ubuntu Dovecot page.) Here is an example set:

Single User Quick Setup

This method uses system user accounts for email accounts. It uses the same pamdb password file and authentication used for system users. It is useful (and quick and easy) if you only have one email domain and only a few users (for each of whom you don't mind creating a system account). An advantage is that it is trivial later to copy (or move) the user's Maildir folder to another location for backup (or migration) purposes.

Create a new user whose username (e.g. emailusername) will be the one you will use for email.

I find it necessary to login once to the new user account for general housekeeping purposes such as ensuring the correct password. I make the password the same as the one I will use for the email account.

Edit the /etc/dovecot/dovecot.conf (and/or /etc/dovecot/conf.d/01-dovecot-postfix.conf and/or /etc/dovecot/dovecot-postfix.conf) file(s) so that the Maildir (mail spool) folder system is used on a per-user basis. Change the appropriate line to resemble:

mail_location = maildir:/home/%u/Maildir

Testing

Reload Dovecot and Postfix:

sudo /etc/init.d/dovecot restart
sudo /etc/init.d/postfix restart

Test that Postfix SMTP is running:

telnet localhost 25

and

telnet mail.mydomain.org 25

then test that Dovecot IMAP is running:

telnet localhost imap2

and

telnet mail.mydomain.org imap2

(for older versions of Dovecot, use telnet localhost imap)

Login (through imap) with the text-based email client Mutt:

mutt -f imap://emailuser@mail.mydomain.org

Use Thunderbird to create a new IMAP email account for emailusername@mail.mydomain.org. Accept the self-signed certificates. (You may need to quit and restart Thunderbird again for the Maildir folders to register correctly.)

Before starting any troubleshooting efforts, try rebooting the entire system once. This will reload all configuration files.

This is all that is required for only a few users users on a small system. For multiple email domains and numerous users, however, managing authentication (passwords) and mailboxes will often require a method using virtual user files and/or a database solution such as PostgreSQL, MySQL, or LDAP.

Create a user for virtual mail

Note: this is only used with a virtual vmail account, as with LDAP or a database backend.

During the setup of the lamp-server, you will be prompted to establish a root superuser password for MySQL (e.g. rootmysqlpw). This is used many times (now and in the future), so it is important to record it in a handy place. When setting up dbconfig-common, for example, this password is requested. Also, clearly, you should choose Apache2 during the dbconfig-common prompts.

Create a backend LDIF file by copying the following example LDIF file, naming it backend.mydomain.org.ldif, somewhere on your system (e.g. to the /etc/ldap folder) (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

Create a frontend LDIF file by copying the following example LDIF file, naming it frontend.mydomain.org.ldif, somewhere on your system (e.g. to the /etc/ldap folder) (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

Edit the etc/dovecot/dovecot-ldap.conf configuration file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):

sudo kate etc/dovecot/dovecot-ldap.conf

Set the host(s) of the LDAP server(s) (port 389 is the LDAP default and can be omitted):

hosts = ldap.mydomain.org:389

Set TLS to yes:

tls = yes

Set the LDAP version:

ldap_version = 3

Moving Maildir directories

Maildir directories can be moved from one server to another, but it is tricky. The subfolders are designated as hidden files and hidden files must be moved separately (they are not included in routine copies).

If you can sort out the permissions required by your server (which may require root permissions, postfix permissions, user permissions, or vmail virtual user permissions depending on your setup) then do so, but until you are certain that everything else works, it is easiest to open all permissions initially and then tighten them secondarily.

Once I determined the correct user (e.g. emailuser, root, postfix, or vmail, depending on the system) I then changed the owner to the correct owner (chown user:user) and chmod to 700 for all the Maildir directories.

Also be aware that most USB/Flash/Thumb drives are formatted as FAT32 and will not maintain file permissions. Using them as copying media will not work (unless they are re-formatted to ext3 or ext4). It is also tricky to maintain file permissions when using NFS or SMB networked folders, since root permissions (root squashing) are disabled by default and recent protocols do not easily permit the "no_root_squash" function. It is easiest to use direct (or rsync) copying, or to copy to a (non-formatted) CD/DVD as an intermediate medium.

Also, email files in Maildir folders are designated with the name of the original server. When moving to a new server, it may be necessary to include the name of the old server as a destination in the Postfix main.cf configuration file: